Greeting, FYI, we noticed the following commit (built with gcc-9): commit: c8f22155c69a8d2e1ed553e4134a75925fe44e7b ("[PATCH] scsi: simplify registration of scsi host sysfs attributes") url: https://github.com/0day-ci/linux/commits/Damien-Le-Moal/scsi-simplify-reg... base: https://git.kernel.org/cgit/linux/kernel/git/jejb/scsi.git for-next patch link: https://lore.kernel.org/linux-scsi/20211115092922.367777-1-damien.lemoal@... in testcase: boot on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): If you fix the issue, kindly add following tag Reported-by: kernel test robot <oliver.sang(a)intel.com&gt; [ 75.083868][ T220] BUG: KASAN: slab-out-of-bounds in show_shost_state (drivers/scsi/scsi_sysfs.c:226) [ 75.087293][ T220] Read of size 4 at addr ffff888185efdfa0 by task systemd-udevd/220 [ 75.088813][ T220] [ 75.089303][ T220] CPU: 1 PID: 220 Comm: systemd-udevd Not tainted 5.15.0-rc1-00402-gc8f22155c69a #1 [ 75.091095][ T220] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 75.094101][ T220] Call Trace: [ 75.094774][ T220] dump_stack_lvl (lib/dump_stack.c:107) [ 75.095737][ T220] print_address_description+0x21/0x140 [ 75.097045][ T220] ? show_shost_state (drivers/scsi/scsi_sysfs.c:226) [ 75.098053][ T220] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459) [ 75.100021][ T220] ? __kprobes_text_end (arch/x86/entry/entry_64.S:90) [ 75.101185][ T220] ? show_shost_state (drivers/scsi/scsi_sysfs.c:226) [ 75.102235][ T220] show_shost_state (drivers/scsi/scsi_sysfs.c:226) [ 75.103206][ T220] dev_attr_show (drivers/base/core.c:2060) [ 75.104120][ T220] ? memset (mm/kasan/shadow.c:44) [ 75.104927][ T220] sysfs_kf_seq_show (fs/sysfs/file.c:62) [ 75.105846][ T220] seq_read_iter (fs/seq_file.c:231) [ 75.106677][ T220] new_sync_read (fs/read_write.c:405 (discriminator 1)) [ 75.107538][ T220] ? __check_object_size (mm/usercopy.c:240 mm/usercopy.c:286 mm/usercopy.c:256) [ 75.108385][ T220] ? __x64_sys_llseek (fs/read_write.c:394) [ 75.109453][ T220] ? kasan_set_track (mm/kasan/common.c:46) [ 75.110331][ T220] ? file_open_root (fs/open.c:1186) [ 75.111274][ T220] vfs_read (fs/read_write.c:485) [ 75.112122][ T220] ksys_read (fs/read_write.c:623) [ 75.112997][ T220] ? vfs_write (fs/read_write.c:613) [ 75.113923][ T220] ? filp_open (fs/open.c:1214) [ 75.114797][ T220] ? exit_to_user_mode_prepare (include/linux/sched.h:2196 kernel/entry/common.c:176 kernel/entry/common.c:209) [ 75.115950][ T220] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 75.116871][ T220] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) [ 75.118057][ T220] RIP: 0033:0x7f201be6b6e0 [ 75.118968][ T220] Code: 73 01 c3 48 8b 0d c8 88 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 09 cd 20 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fc ff ff 48 89 04 24 All code ======== 0: 73 01 jae 0x3 2: c3 retq 3: 48 8b 0d c8 88 20 00 mov 0x2088c8(%rip),%rcx # 0x2088d2 a: f7 d8 neg %eax c: 64 89 01 mov %eax,%fs:(%rcx) f: 48 83 c8 ff or $0xffffffffffffffff,%rax 13: c3 retq 14: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 1a: 83 3d 09 cd 20 00 00 cmpl $0x0,0x20cd09(%rip) # 0x20cd2a 21: 75 10 jne 0x33 23: b8 00 00 00 00 mov $0x0,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 31 jae 0x63 32: c3 retq 33: 48 83 ec 08 sub $0x8,%rsp 37: e8 ee fc ff ff callq 0xfffffffffffffd2a 3c: 48 89 04 24 mov %rax,(%rsp) Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 31 jae 0x39 8: c3 retq 9: 48 83 ec 08 sub $0x8,%rsp d: e8 ee fc ff ff callq 0xfffffffffffffd00 12: 48 89 04 24 mov %rax,(%rsp) [ 75.122718][ T220] RSP: 002b:00007ffec8eaa5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 75.124290][ T220] RAX: ffffffffffffffda RBX: 0000557995dc3451 RCX: 00007f201be6b6e0 [ 75.125722][ T220] RDX: 0000000000001000 RSI: 00007ffec8eaaa80 RDI: 0000000000000008 [ 75.127340][ T220] RBP: 0000000000000008 R08: 0000557995dc3451 R09: 0000000000000000 [ 75.131857][ T220] R10: 00000000fffffff0 R11: 0000000000000246 R12: 0000557995da16d0 [ 75.136678][ T220] R13: 00007ffec8eaa680 R14: 00007ffec8eaaa80 R15: 0000557994241850 [ 75.141112][ T220] [ 75.144807][ T220] Allocated by task 203: [ 75.148685][ T220] kasan_save_stack (mm/kasan/common.c:38) [ 75.152039][ T220] __kasan_kmalloc (mm/kasan/common.c:46 mm/kasan/common.c:434 mm/kasan/common.c:513 mm/kasan/common.c:522) [ 75.155801][ T220] kobject_uevent_env (lib/kobject_uevent.c:525) [ 75.159751][ T220] device_add (drivers/base/core.c:3354) [ 75.163563][ T220] attribute_container_add_class_device (drivers/base/attribute_container.c:456) [ 75.167707][ T220] transport_add_class_device (drivers/base/transport_class.c:162) [ 75.171753][ T220] do_attribute_container_device_trigger_safe (drivers/base/attribute_container.c:257 drivers/base/attribute_container.c:240) [ 75.176296][ T220] attribute_container_device_trigger_safe (drivers/base/attribute_container.c:315) [ 75.180677][ T220] ata_tlink_add (drivers/ata/libata-transport.c:682 drivers/ata/libata-transport.c:433) libata [ 75.184759][ T220] ata_tport_add (drivers/ata/libata-transport.c:307) libata [ 75.188726][ T220] ata_host_register (drivers/ata/libata-core.c:5790) libata [ 75.192656][ T220] ata_pci_sff_activate_host (drivers/ata/libata-sff.c:2436) libata [ 75.196728][ T220] piix_init_one (drivers/ata/ata_piix.c:1744) ata_piix [ 75.200550][ T220] local_pci_probe (drivers/pci/pci-driver.c:323) [ 75.204129][ T220] pci_device_probe (drivers/pci/pci-driver.c:380 drivers/pci/pci-driver.c:405 drivers/pci/pci-driver.c:448) [ 75.207729][ T220] really_probe (drivers/base/dd.c:748) [ 75.212720][ T220] __driver_probe_device (drivers/base/dd.c:751) [ 75.216359][ T220] driver_probe_device (drivers/base/dd.c:781) [ 75.219880][ T220] __driver_attach (drivers/base/dd.c:1141) [ 75.223362][ T220] bus_for_each_dev (drivers/base/bus.c:301) [ 75.226978][ T220] bus_add_driver (drivers/base/bus.c:619) [ 75.230495][ T220] driver_register (drivers/base/driver.c:171) [ 75.234117][ T220] ata_generic_init_one (drivers/ata/ata_generic.c:164) ata_generic [ 75.237970][ T220] do_one_initcall (init/main.c:1303) [ 75.241436][ T220] do_init_module (kernel/module.c:3695) [ 75.245117][ T220] load_module (kernel/module.c:4096) [ 75.248688][ T220] __do_sys_finit_module (kernel/module.c:4187) [ 75.252309][ T220] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 75.255891][ T220] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) [ 75.259725][ T220] [ 75.262819][ T220] Freed by task 203: [ 75.266220][ T220] kasan_save_stack (mm/kasan/common.c:38) [ 75.269714][ T220] kasan_set_track (mm/kasan/common.c:46) [ 75.273153][ T220] kasan_set_free_info (mm/kasan/generic.c:362) [ 75.276784][ T220] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374) [ 75.280450][ T220] kfree (mm/slub.c:1725 mm/slub.c:3483 mm/slub.c:4543) [ 75.283746][ T220] kobject_uevent_env (lib/kobject_uevent.c:628) [ 75.287455][ T220] device_add (drivers/base/core.c:3354) [ 75.291013][ T220] attribute_container_add_class_device (drivers/base/attribute_container.c:456) [ 75.294654][ T220] transport_add_class_device (drivers/base/transport_class.c:162) [ 75.298043][ T220] do_attribute_container_device_trigger_safe (drivers/base/attribute_container.c:257 drivers/base/attribute_container.c:240) [ 75.301849][ T220] attribute_container_device_trigger_safe (drivers/base/attribute_container.c:315) [ 75.305512][ T220] ata_tlink_add (drivers/ata/libata-transport.c:682 drivers/ata/libata-transport.c:433) libata [ 75.309072][ T220] ata_tport_add (drivers/ata/libata-transport.c:307) libata [ 75.312580][ T220] ata_host_register (drivers/ata/libata-core.c:5790) libata [ 75.316155][ T220] ata_pci_sff_activate_host (drivers/ata/libata-sff.c:2436) libata [ 75.320070][ T220] piix_init_one (drivers/ata/ata_piix.c:1744) ata_piix [ 75.323550][ T220] local_pci_probe (drivers/pci/pci-driver.c:323) [ 75.327031][ T220] pci_device_probe (drivers/pci/pci-driver.c:380 drivers/pci/pci-driver.c:405 drivers/pci/pci-driver.c:448) [ 75.330781][ T220] really_probe (drivers/base/dd.c:748) [ 75.330799][ T220] __driver_probe_device (drivers/base/dd.c:751) [ 75.330805][ T220] driver_probe_device (drivers/base/dd.c:781) [ 75.330810][ T220] __driver_attach (drivers/base/dd.c:1141) [ 75.330815][ T220] bus_for_each_dev (drivers/base/bus.c:301) [ 75.330822][ T220] bus_add_driver (drivers/base/bus.c:619) [ 75.330826][ T220] driver_register (drivers/base/driver.c:171) [ 75.330830][ T220] ata_generic_init_one (drivers/ata/ata_generic.c:164) ata_generic [ 75.330838][ T220] do_one_initcall (init/main.c:1303) [ 75.330845][ T220] do_init_module (kernel/module.c:3695) [ 75.330852][ T220] load_module (kernel/module.c:4096) [ 75.330858][ T220] __do_sys_finit_module (kernel/module.c:4187) [ 75.330864][ T220] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 75.330871][ T220] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) [ 75.330878][ T220] [ 75.330881][ T220] The buggy address belongs to the object at ffff888185efc000 [ 75.330881][ T220] which belongs to the cache kmalloc-4k of size 4096 [ 75.330887][ T220] The buggy address is located 4000 bytes to the right of [ 75.330887][ T220] 4096-byte region [ffff888185efc000, ffff888185efd000) [ 75.330893][ T220] The buggy address belongs to the page: [ 75.330897][ T220] page:00000000dd2ce934 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x185ef8 [ 75.330905][ T220] head:00000000dd2ce934 order:3 compound_mapcount:0 compound_pincount:0 [ 75.330910][ T220] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) [ 75.330922][ T220] raw: 0017ffffc0010200 0000000000000000 dead000000000122 ffff888100042140 [ 75.330927][ T220] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 75.330930][ T220] page dumped because: kasan: bad access detected [ 75.330933][ T220] page_owner tracks the page as allocated [ 75.330936][ T220] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 203, ts 70805329119, free_ts 70803576189 [ 75.330947][ T220] prep_new_page (include/linux/page_owner.h:31 mm/page_alloc.c:2418 mm/page_alloc.c:2424) [ 75.330954][ T220] get_page_from_freelist (mm/page_alloc.c:4159) [ 75.330960][ T220] __alloc_pages (mm/page_alloc.c:5376) [ 75.330965][ T220] allocate_slab (mm/slub.c:1763 mm/slub.c:1900) [ 75.330972][ T220] ___slab_alloc (mm/slub.c:2994) [ 75.330977][ T220] __slab_alloc+0x1c/0x40 To reproduce: # build kernel cd linux cp config-5.15.0-rc1-00402-gc8f22155c69a .config make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email # if come across any failure that blocks the test, # please remove ~/.lkp and /lkp dir to run from a clean state. --- 0DAY/LKP+ Test Infrastructure Open Source Technology Center https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation Thanks, Oliver Sang